The top 5 worst passwords of 2017 (and how to choose one that's secure)

Most Americans have lousy passwords that are incredibly easy to crack.

The Twitter accounts of U.S. President Donald Trump, @POTUS and @realDoanldTrump, are seen on iPhones in Washington, D.C. on Jan. 27, 2017.Bloomberg via Getty Images file

Get the Better newsletter.

Dec. 29, 2017 / 9:02 PM GMT / Updated Dec. 29, 2017 / 9:02 PM GMT

By Herb Weisbaum

Here’s a New Year’s resolution that could make a big difference in your life: Resolve to update and improve the passwords to your online accounts.

The threat from cyber crooks is real and getting worse. And yet, most Americans still have lousy passwords that are incredibly easy to crack. The top five Worst Passwords of 2017, according to the just-released list from the password management company SplashData, are:

123456

Password

12345678

Qwerty

12345

Why do we do this?

Digital security experts tell NBC News it’s how many people deal with an overload of passwords. The average American internet user now has 150 online accounts, according to a recent survey by password management company Dashlane.

“It’s just a matter of convenience for most people,” said Ryan Merchant, Dashlane’s senior manager. “We don't want to have long, crazy-hard passwords to remember, so what do we do? We pick a simple password and we use it everywhere, and that makes it extremely easy for hackers.”

We all do it. Dashlane compiled a list of the Worst Password Offenders – high-profile people and organizations that suffered the most significant password-related blunders in 2017.

President Donald Trump topped the list. Members of his administration – including multiple cabinet secretaries, senior policy directors and even cybersecurity advisor Rudy Giuliani – were found to be using “unsecure, simple passwords” for multiple accounts, according to an investigation by the U.K.’s Channel 4 News. Trump also had direct connections to three of the other Top 10 offenders: the Republican Party, Paul Manafort and Sean Spicer.

Equifax was second on Dashlane’s worst offender’s list. Two massive data breaches at the credit bureau gave cybercriminals access to personal data on nearly 150 million people in the U.S., U.K. and Canada. Equifax was taken to task for using the username/password combination "admin/admin" for some of its online portals, as reported by security researcher Brian Krebs.

Creating and Managing Secure Passwords

Researchers at Carnegie Mellon University have found that there are a lot of misconceptions about what makes a strong or weak password.

“What people don't realize is that the attackers don’t just sit down at a computer and make a few guesses. They use computer programs that can actually make millions or billions of guesses in minutes,” said Lorrie Cranor, director of CMU’s CyLab Useable Privacy and Security Laboratory (CUPS).

The CUPS team’s new guidelines for passwords are based on years of experiments to understand how attackers figure out passwords, as well as data collected from more than 50,000 online participants. Strong passwords are:

At least 12 characters, longer is better

A mix of upper and lower case letters, plus numbers or symbols

Avoid using names of people or pets, places you’ve lived, birthdays, sports teams or anything else than can be found on your social media accounts

Don’t use patterns, such as “abc,” “123” or “qwerty”

Avoid simple phrases, such as “letmein”

Having 20 characters made up of a string of words might be easier to remember. That’s fine as long as those words aren’t a well-known quote, your favorite song lyrics or something predictable, like “passwordpassword” or “xxxxxxxxxxxxxxx.”

If you’re required to change your password, adding a 1 or 2 or an exclamation point at the beginning or end of the old one, doesn’t help much. In fact, attackers expect people to do this, Cranor told NBC News.

How Can I Remember These Secure Passwords?

It’s not easy. That’s why so many people reuse the same password on multiple accounts – a big mistake.

“Once a bad guy figures out that you’re using a certain password, they will try it all over the Internet to see if it will work for other accounts,” said Bob Gourley, co-founder of Cognitio, a cybersecurity consulting firm in McLean, Va.

Related

At the very least, you should have strong and unique passwords for your most important accounts – email, medical, and credit card, bank or any financial accounts. If you need to write them down and hide them in a desk drawer, that’s better than using “123abc,” security experts tell NBC News.

The smart move is to use a password manager. Cranor, who uses one, calls it “a pretty good solution for most people.”

Some password managers are free; others charge a fee. These services encrypt and store all of your passwords. That way, you only need to remember one very strong password for the password manager.

“A good password manager will not only create complex passwords for you that you don't have to remember, but it will also tell you if you're using the same password in multiple places and help you create new ones,” Gourley said. Consumer Reports recently reviewed four of the most popular brands: Dashlane, LastPass, 1Password and KeePass.